Answered by:

AD / DNS problems whilst adding Server 2008 to existing 2003 Domain

Question

Currently have 2 Windows 2003 DC’s and I need to replace one of these with a new Win 2008 R2 machine.

What’s bugging me the most is this is the 4<sup>th</sup> time I’ve started from scratch with this new server – the first time the DCPROMO seemed to run ok and it was only
when I was configuring IIS that this screwed it all up and I had to start again. It screwed it so bad infact that I’d already transferred the FSMO roles across to it (http://support.microsoft.com/kb/324801)
and was unable to run DCPROMO again to remove the server from the AD Config.

Then installed the ADDS role, and then ran DCPROMO again. For the longest time I was continually getting an error stating that I had DHCP configured on the Network Adapter, but I’ve now (I think) disable IPv6 completely
and disabled all other network adapters (server has 4). The last time I ran DCPROMO I didn’t get the error.

DCPROMO runs and the machine gets a restart. The IP properties are set up so the new server has an ip of 10.61.15.4 (the others are 10.61.15.5 and .6 respectively). Subnet is set to 255.255.555.0 and default gateway
10.61.15.1.

The DNS was set, before running DCPROMO, to look at 10.61.15.5 as otherwise I was unable to run DCPROMO as it told me it couldn’t find a domain controller.

I then restart and get Event ID 4013 errors on boot up, and dcdiag gives me the following:

4013 ERROR:

Source DNS

EVENT ID 4013

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization
is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain
to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

DCDIAG RESULTS:

Directory Server Diagnosis

Performing initial setup:

Trying to find home server...

Home Server = slgc-lri-svr-01

* Identified AD Forest.

Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

Starting test: Connectivity

......................... SLGC-LRI-SVR-01 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SLGC-LRI-SVR-01

Starting test: Advertising

......................... SLGC-LRI-SVR-01 passed test Advertising

Starting test: FrsEvent

There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.

......................... SLGC-LRI-SVR-01 passed test FrsEvent

Starting test: DFSREvent

......................... SLGC-LRI-SVR-01 passed test DFSREvent

Starting test: SysVolCheck

......................... SLGC-LRI-SVR-01 passed test SysVolCheck

Starting test: KccEvent

A warning event occurred. EventID: 0x80000B46

Time Generated: 07/14/2010 13:21:37

Event String:

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not
request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this
server.

......................... SLGC-LRI-SVR-01 passed test KccEvent

Starting test: KnowsOfRoleHolders

......................... SLGC-LRI-SVR-01 passed test

KnowsOfRoleHolders

Starting test: MachineAccount

......................... SLGC-LRI-SVR-01 passed test MachineAccount

Starting test: NCSecDesc

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set

access rights for the naming context:

DC=ForestDnsZones,DC=leicester,DC=serco,DC=com

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set

access rights for the naming context:

DC=DomainDnsZones,DC=leicester,DC=serco,DC=com

......................... SLGC-LRI-SVR-01 failed test NCSecDesc

Starting test: NetLogons

......................... SLGC-LRI-SVR-01 passed test NetLogons

Starting test: ObjectsReplicated

......................... SLGC-LRI-SVR-01 passed test

ObjectsReplicated

Starting test: Replications

REPLICATION LATENCY WARNING

ERROR: Expected notification link is missing.

Source SERVER1

Replication of new changes along this path will be delayed.

This problem should self-correct on the next periodic sync.

REPLICATION LATENCY WARNING

ERROR: Expected notification link is missing.

Source SERVER1

Replication of new changes along this path will be delayed.

This problem should self-correct on the next periodic sync.

REPLICATION LATENCY WARNING

ERROR: Expected notification link is missing.

Source SERVER1

Replication of new changes along this path will be delayed.

This problem should self-correct on the next periodic sync.

REPLICATION LATENCY WARNING

ERROR: Expected notification link is missing.

Source SERVER1

Replication of new changes along this path will be delayed.

This problem should self-correct on the next periodic sync.

......................... SLGC-LRI-SVR-01 passed test Replications

Starting test: RidManager

......................... SLGC-LRI-SVR-01 passed test RidManager

Starting test: Services

......................... SLGC-LRI-SVR-01 passed test Services

Starting test: SystemLog

An error event occurred. EventID: 0x0000040B

Time Generated: 07/14/2010 12:29:20

Event String:

The DHCP service was unable to create or lookup the DHCP Users local group on this computer. The error code is in the data.

An error event occurred. EventID: 0x0000040C

Time Generated: 07/14/2010 12:29:20

Event String:

The DHCP server was unable to create or lookup the DHCP Administrators local group on this computer. The error code is in the data.

A warning event occurred. EventID: 0x00002724

Time Generated: 07/14/2010 12:29:25

Event String:

This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

A warning event occurred. EventID: 0x00000081

Time Generated: 07/14/2010 12:39:54

Event String:

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter.
The error was: The entry is not found. (0x800706E1)

A warning event occurred. EventID: 0x00000081

Time Generated: 07/14/2010 12:39:55

Event String:

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter.
The error was: The entry is not found. (0x800706E1)

A warning event occurred. EventID: 0x00000081

Time Generated: 07/14/2010 12:40:11

Event String:

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter.
The error was: The entry is not found. (0x800706E1)

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/14/2010 12:40:32

Event String:

Name resolution for the name slgc-lri-svr-01.leicester.serco.com timed out after none of the configured DNS servers responded.

A warning event occurred. EventID: 0x00000081

Time Generated: 07/14/2010 12:51:00

Event String:

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter.
The error was: The entry is not found. (0x800706E1)

A warning event occurred. EventID: 0x00000081

Time Generated: 07/14/2010 12:51:01

Event String:

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter.
The error was: The entry is not found. (0x800706E1)

A warning event occurred. EventID: 0x00000081

Time Generated: 07/14/2010 12:51:19

Event String:

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter.
The error was: The entry is not found. (0x800706E1)

An error event occurred. EventID: 0x00000456

Time Generated: 07/14/2010 13:05:40

Event String:

The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted
domain that resides in the same forest as the computer account.

A warning event occurred. EventID: 0x8000001D

Time Generated: 07/14/2010 13:08:39

Event String:

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function
correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/14/2010 13:08:50

Event String:

Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

A warning event occurred. EventID: 0x00000420

Time Generated: 07/14/2010 13:16:01

Event String:

The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This
is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.

A warning event occurred. EventID: 0x00002724

Time Generated: 07/14/2010 13:16:05

Event String:

This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

A warning event occurred. EventID: 0x00000420

Time Generated: 07/14/2010 13:16:47

Event String:

The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This
is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.

A warning event occurred. EventID: 0x00002724

Time Generated: 07/14/2010 13:16:51

Event String:

This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

A warning event occurred. EventID: 0x00000420

Time Generated: 07/14/2010 13:17:31

Event String:

The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This
is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.

A warning event occurred. EventID: 0x00002724

Time Generated: 07/14/2010 13:17:35

Event String:

This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

A warning event occurred. EventID: 0x00000420

Time Generated: 07/14/2010 13:18:01

Event String:

The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This
is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.

A warning event occurred. EventID: 0x00002724

Time Generated: 07/14/2010 13:18:05

Event String:

This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

A warning event occurred. EventID: 0x80000431

Time Generated: 07/14/2010 13:18:32

Event String:

The attempt by user LEICESTER\administrator to restart/shutdown computer SLGC-LRI-SVR-01 failed

A warning event occurred. EventID: 0x8000001D

Time Generated: 07/14/2010 13:21:30

Event String:

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function
correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/14/2010 13:21:41

Event String:

Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

A warning event occurred. EventID: 0x00002724

Time Generated: 07/14/2010 13:22:03

Event String:

This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

A warning event occurred. EventID: 0x000727AA

Time Generated: 07/14/2010 13:24:09

Event String:

The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.

I can see the AD has replicated across as I can browse users and computers etc, but I don’t want the DNS setup this way as it’s not set like this on the other servers. So I go into IP properties and see that the
system has auto added the alternate DNS of 127.0.0.1. The preferred is still set to 10.61.15.5, which now needs changing to that of this new server, and the 127.0.0.0 removed.

It takes 20 minutes to get past the Apply computer setting dialog too even when set to look at 10.61.15.5.

Once I change these settings it cannot replicate, connect to the internet, and the problem then is the network adapter reports it cannot connect to a network (unidentified network) and the server has no access to the DC to replicate
at all then.

I feel like I’m missing something here, I’ve spent 4 days trying to get this working and I’ve tried all sorts of stuff – too much to list. I’m open to any suggestions and will try anything.
I’m not sure if the problem lies with the DNS settings somewhere, the AD config or the IP settings on the new server.

I’m sort of assuming the problem may lie somewhere with AD as like I say at the very beginning I believe I got it all working in the first place. The new server was most certainly pointing to itself for DNS at the very
least, however I can’t confirm whether I got the 4013 errors or dcdiag errors as being totally honest this my first server migration and I wasn’t aware of the tools available – it’s only since I’ve had problems that I’m
truly learning all about AD/DNS.

Answers

Firmware was already at latest, drivers are now up to do date. When i first took delivery of the server i had updated all of the firmware so on an off chance i decided to downgrade the NIC firmware back to what it came with. This seems to have
made a difference. Instead of the NIC display searching or cannot connect it EVENTUALLY connects to the domain and internet. So i changed the DNS to point to itself (10.61.15.4) and rebooted.

The startup time is now down to around 5 minutes and once i was logged in the NIC icon in the corner had the hourglass / blue circle icon spinning for a good 2 minutes. After this is connected to the domain and internet and it seemed to be working.
After subsequent restarts the NIC doesn't do this at all.

So i perform all of the following:

Repadmin /syncall

Net share (checks SYSVOL)

Dcdiag

Nslookup (on all 3 servers in DNS snap-in)

Dcdiag still gave me errors they are mainly related to the other 3 NICs being down (of course they are) and a few DNS related issues, but after leaving it for some time rerunning this gives no errors at all. All the other tests report full replication
and functionality.

I still have the 4013 errors in the DNS Event log, but reading up on this other people seem to experience this issue too with Win2k8R2:

All replies

Is the server pointing to itself for primary DNS or another DC/DNS server. If pointing to itself try pointing it to another box. Looks like you are running into a race condition (4013 error) where DNS and AD have issues during startup "race to
startup".

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing
(integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

......................... SLGC-LRI-SVR-01 passed test KccEvent

Starting test: KnowsOfRoleHolders

......................... SLGC-LRI-SVR-01 passed test

KnowsOfRoleHolders

Starting test: MachineAccount

......................... SLGC-LRI-SVR-01 passed test MachineAccount

Starting test: NCSecDesc

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set
access rights for the naming context:

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly
if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

A warning event occurred. EventID: 0x00000C18

Time Generated: 07/14/2010 15:04:52

Event String:

The primary Domain Controller for this domain could not be located.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/14/2010 15:05:11

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/14/2010 15:05:10

Event String:

Name resolution for the name _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.LEICESTER.SERCO.COM timed out after none of the configured DNS servers responded.

A warning event occurred. EventID: 0x00002724

Time Generated: 07/14/2010 15:05:14

Event String:

This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/14/2010 15:05:31

Event String:

Name resolution for the name leicester.serco.com timed out after none of the configured DNS servers responded.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/14/2010 15:05:38

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0x00000423

Time Generated: 07/14/2010 15:05:38

Event String:

The DHCP service failed to see a directory server for authorization.

An error event occurred. EventID: 0x00000423

Time Generated: 07/14/2010 15:05:51

Event String:

The DHCP service failed to see a directory server for authorization.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/14/2010 15:06:05

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

A warning event occurred. EventID: 0x00000081

Time Generated: 07/14/2010 15:06:10

Event String:

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The
error was: The entry is not found. (0x800706E1)

A warning event occurred. EventID: 0x00000081

Time Generated: 07/14/2010 15:06:11

Event String:

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The
error was: The entry is not found. (0x800706E1)

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/14/2010 15:06:32

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/14/2010 15:06:59

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/14/2010 15:07:26

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/14/2010 15:07:54

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

A warning event occurred. EventID: 0x000727AA

Time Generated: 07/14/2010 15:08:11

Event String:

The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/14/2010 15:08:21

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/14/2010 15:08:48

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/14/2010 15:09:15

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/14/2010 15:09:42

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0x00000469

Time Generated: 07/14/2010 15:10:20

Event String:

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine
gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

A warning event occurred. EventID: 0x00001695

Time Generated: 07/14/2010 15:10:45

Event String:

Dynamic registration or deletion of one or more DNS records associated with DNS domain 'leicester.serco.com.' failed. These records are used by other computers to locate this server
as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

An error event occurred. EventID: 0x00000469

Time Generated: 07/14/2010 15:14:25

Event String:

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine
gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

A warning event occurred. EventID: 0x00001695

Time Generated: 07/14/2010 15:21:02

Event String:

Dynamic registration or deletion of one or more DNS records associated with DNS domain 'leicester.serco.com.' failed. These records are used by other computers to locate this server
as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

A warning event occurred. EventID: 0x00001695

Time Generated: 07/14/2010 15:21:02

Event String:

Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.leicester.serco.com.' failed. These records are used by other computers to locate
this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

A warning event occurred. EventID: 0x00001695

Time Generated: 07/14/2010 15:21:02

Event String:

Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.leicester.serco.com.' failed. These records are used by other computers to locate
this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

A warning event occurred. EventID: 0x8000001D

Time Generated: 07/14/2010 15:32:22

Event String:

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly
if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/14/2010 15:32:33

Event String:

Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

A warning event occurred. EventID: 0x00002724

Time Generated: 07/14/2010 15:32:55

Event String:

This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

A warning event occurred. EventID: 0x000727AA

Time Generated: 07/14/2010 15:35:02

Event String:

The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.

A warning event occurred. EventID: 0x8000001D

Time Generated: 07/14/2010 15:45:45

Event String:

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly
if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/14/2010 15:45:56

Event String:

Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

A warning event occurred. EventID: 0x00002724

Time Generated: 07/14/2010 15:46:17

Event String:

This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

Andy - are you using AD integrated DNS? If so, where are the DNS zones stored - in the domain naming context or in the application partitions (DomainDNSZones and ForestDNSZones)? What's the output of dnscmd /DirectoryPartitionInfo on each of them?

Create relevant directory partitions (dnscmd /createdirectorypartition) if needed, point all DCs to one of them (e.g. 10.61.15.5), restart Netlogon on each of them, and rerun dcdiag /v /c again...

Yes, Integrated AD DNS. I'm going to sound thick here but how can i find out where the DNS zones are stored, in the Domain or Forest? Do you have any links to any procedures to follow for these things as i'm still on a steep learning curve, i
must admit.

And i believe i didn't help the situation much by not leaving the DNS configuration pointing to the current server long enough. I can confirm that having DCPROMO'd the new server again (removing it as a DC and then adding again) the dcdiag gave
more positive results immediately after a reboot. However after 10 minutes the results then changed to this:

NTDS (524) NTDSA: Database 'C:\Windows\NTDS\ntds.dit': The secondary index 'PDNT_index' of table 'datatable' may be corrupt. If there is no later event showing the index being rebuilt, then
please defragment the database to rebuild the index.

A warning event occurred. EventID: 0x800005B7

Time Generated: 07/14/2010 16:27:53

Event String:

Active Directory Domain Services has detected and deleted some possibly corrupted indices as part of initialization.

A warning event occurred. EventID: 0x80000B46

Time Generated: 07/14/2010 16:31:26

Event String:

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing
(integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

......................... SLGC-LRI-SVR-01 passed test KccEvent

Starting test: KnowsOfRoleHolders

......................... SLGC-LRI-SVR-01 passed test

KnowsOfRoleHolders

Starting test: MachineAccount

......................... SLGC-LRI-SVR-01 passed test MachineAccount

Starting test: NCSecDesc

......................... SLGC-LRI-SVR-01 passed test NCSecDesc

Starting test: NetLogons

......................... SLGC-LRI-SVR-01 passed test NetLogons

Starting test: ObjectsReplicated

......................... SLGC-LRI-SVR-01 passed test

ObjectsReplicated

Starting test: Replications

REPLICATION LATENCY WARNING

ERROR: Expected notification link is missing.

Source SERVER1-BACKUP

Replication of new changes along this path will be delayed.

This problem should self-correct on the next periodic sync.

REPLICATION LATENCY WARNING

ERROR: Expected notification link is missing.

Source SERVER1-BACKUP

Replication of new changes along this path will be delayed.

This problem should self-correct on the next periodic sync.

REPLICATION LATENCY WARNING

ERROR: Expected notification link is missing.

Source SERVER1-BACKUP

Replication of new changes along this path will be delayed.

This problem should self-correct on the next periodic sync.

REPLICATION LATENCY WARNING

ERROR: Expected notification link is missing.

Source SERVER1-BACKUP

Replication of new changes along this path will be delayed.

This problem should self-correct on the next periodic sync.

......................... SLGC-LRI-SVR-01 passed test Replications

Starting test: RidManager

......................... SLGC-LRI-SVR-01 passed test RidManager

Starting test: Services

......................... SLGC-LRI-SVR-01 passed test Services

Starting test: SystemLog

A warning event occurred. EventID: 0x8000001D

Time Generated: 07/14/2010 15:45:45

Event String:

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly
if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/14/2010 15:45:56

Event String:

Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

A warning event occurred. EventID: 0x00002724

Time Generated: 07/14/2010 15:46:17

Event String:

This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

A warning event occurred. EventID: 0x000727AA

Time Generated: 07/14/2010 15:48:23

Event String:

The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.

A warning event occurred. EventID: 0x8000001D

Time Generated: 07/14/2010 16:10:56

Event String:

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly
if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/14/2010 16:11:07

Event String:

Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

A warning event occurred. EventID: 0x00002724

Time Generated: 07/14/2010 16:11:28

Event String:

This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

A warning event occurred. EventID: 0x000727AA

Time Generated: 07/14/2010 16:13:34

Event String:

The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.

An error event occurred. EventID: 0xC0001B7E

Time Generated: 07/14/2010 16:17:30

Event String:

The sppuinotify service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error:

An error event occurred. EventID: 0xC0001B58

Time Generated: 07/14/2010 16:17:30

Event String:

The SPP Notification Service service failed to start due to the following error:

A warning event occurred. EventID: 0x00000018

Time Generated: 07/14/2010 16:19:35

Event String:

Time Provider NtpClient: No valid response has been received from domain controller server1.leicester.serco.com after 8 attempts to contact it. This domain controller will be discarded as
a time source and NtpClient will attempt to discover a new domain controller from which to synchronize. The error was: The client fails authenticating a response with netlogon failure.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/14/2010 16:24:45

Event String:

Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

An error event occurred. EventID: 0x0000040B

Time Generated: 07/14/2010 16:24:50

Event String:

The DHCP service was unable to create or lookup the DHCP Users local group on this computer. The error code is in the data.

An error event occurred. EventID: 0x0000040C

Time Generated: 07/14/2010 16:24:50

Event String:

The DHCP server was unable to create or lookup the DHCP Administrators local group on this computer. The error code is in the data.

A warning event occurred. EventID: 0x00002724

Time Generated: 07/14/2010 16:24:55

Event String:

This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

A warning event occurred. EventID: 0x00000081

Time Generated: 07/14/2010 16:24:55

Event String:

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The
error was: The entry is not found. (0x800706E1)

A warning event occurred. EventID: 0x00000081

Time Generated: 07/14/2010 16:24:56

Event String:

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The
error was: The entry is not found. (0x800706E1)

A warning event occurred. EventID: 0x8000001D

Time Generated: 07/14/2010 16:31:20

Event String:

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly
if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/14/2010 16:31:31

Event String:

Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

A warning event occurred. EventID: 0x00002724

Time Generated: 07/14/2010 16:31:47

Event String:

This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

A warning event occurred. EventID: 0x000727AA

Time Generated: 07/14/2010 16:33:57

Event String:

The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.

Looks like it's working. This is with the current "main" server setup as the primary DNS. Should i now change this to point to the new server, ie itself? Are there any further checks worth doing at this point? I'm not confident it
will work should i touch this setting now.

Which gives these errors in the System Event Log and running dcdiag again:

Starting test: SystemLog

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/15/2010 08:58:47

Event String:

Name resolution for the name
www.microsoft.com timed out after none of the configured DNS servers responded.

An error event occurred. EventID: 0xC0002719

Time Generated: 07/15/2010 08:59:08

Event String:

DCOM was unable to communicate with the computer 192.168.0.2 using any of the configured protocols.

An error event occurred. EventID: 0xC0002719

Time Generated: 07/15/2010 08:59:29

Event String:

DCOM was unable to communicate with the computer 192.168.0.5 using any of the configured protocols.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/15/2010 09:09:23

Event String:

Name resolution for the name
www.microsoft.com timed out after none of the configured DNS servers responded.

An error event occurred. EventID: 0xC0002719

Time Generated: 07/15/2010 09:09:44

Event String:

DCOM was unable to communicate with the computer 192.168.0.2 using any of the configured protocols.

An error event occurred. EventID: 0xC0002719

Time Generated: 07/15/2010 09:10:05

Event String:

DCOM was unable to communicate with the computer 192.168.0.5 using any of the configured protocols.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/15/2010 09:10:36

Event String:

Name resolution for the name
www.microsoft.com timed out after none of the configured DNS servers responded.

An error event occurred. EventID: 0xC0002719

Time Generated: 07/15/2010 09:10:57

Event String:

DCOM was unable to communicate with the computer 192.168.0.2 using any of the configured protocols.

An error event occurred. EventID: 0xC0002719

Time Generated: 07/15/2010 09:11:18

Event String:

DCOM was unable to communicate with the computer 192.168.0.5 using any of the configured protocols.

......................... SLGC-LRI-SVR-01 failed test SystemLog

So i then change the DNS in IP settings to point to itself and i get no change, tests give exact same results. The server is still up and i'm getting none of the reported cannot connect errors.

After a reboot howeverit's back to square one - took an age to log in and "apply user settings", is still logging the 4013 errors in the DNS Event log, the network connection reports that it no longer has internet access (and
it's no longer connecting to the domain) and running dcdiag again naturally displays a whole host of problems, mainly to do with replication and unable to connect etc.

This is most definately a DNS related issue!

I hope this is all relevant information and i'm not waffling on and barking up the wrong tree. Anyone ANY ideas?

Let's back up a bit - point all three DCs to 10.61.15.5 as their primary and only DNS server and reboot each of them (one at a time though - starting with 10.61.15.5 and ending with the Windows Server 2008 R2-based one). Let us know
if you are seeing any errors at that point

If not, then check the replication between them by running repadmin /showrepl on each and let us know if you are seing any errors.

Right, done that - all three servers set to look at Primary DNS 10.61.15.5. Restarted .5, then .6, then .4 (new one).

Then dcdiag on each:

10.61.15.5: No errors at all

10.61.15.6: EVENT ID 24:

Time Provider NtpClient: No valid response has been received from domain controller server1.leicester.serco.com after 8 attempts to contact it. This domain controller will be discarded as a time source and NtpClient will attempt to discover a new domain
controller from which to synchronize.

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing
(integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly
if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

A warning event occurred. EventID: 0x00000C18

Time Generated: 07/15/2010 13:37:37

Event String:

The primary Domain Controller for this domain could not be located.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/15/2010 13:37:55

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/15/2010 13:37:54

Event String:

Name resolution for the name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/15/2010 13:38:15

Event String:

Name resolution for the name leicester.serco.com timed out after none of the configured DNS servers responded.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/15/2010 13:38:22

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/15/2010 13:38:49

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

A warning event occurred. EventID: 0x00000081

Time Generated: 07/15/2010 13:38:59

Event String:

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The
error was: The entry is not found. (0x800706E1)

A warning event occurred. EventID: 0x00000081

Time Generated: 07/15/2010 13:39:00

Event String:

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The
error was: The entry is not found. (0x800706E1)

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/15/2010 13:39:16

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/15/2010 13:39:43

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/15/2010 13:40:10

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/15/2010 13:40:38

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

A warning event occurred. EventID: 0x000727AA

Time Generated: 07/15/2010 13:41:00

Event String:

The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/15/2010 13:41:05

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/15/2010 13:41:32

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/15/2010 13:41:59

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

An error event occurred. EventID: 0xC00038D6

Time Generated: 07/15/2010 13:42:26

Event String:

The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

A warning event occurred. EventID: 0x00001695

Time Generated: 07/15/2010 13:43:29

Event String:

Dynamic registration or deletion of one or more DNS records associated with DNS domain 'leicester.serco.com.' failed. These records are used by other computers to locate this server
as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly
if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

A warning event occurred. EventID: 0x000003F6

Time Generated: 07/15/2010 13:57:39

Event String:

Name resolution for the name _ldap._tcp.dc._msdcs.leicester.serco.com timed out after none of the configured DNS servers responded.

A warning event occurred. EventID: 0x000727AA

Time Generated: 07/15/2010 14:00:04

Event String:

The WinRM service failed to create the following SPNs: WSMAN/slgc-lri-svr-01.leicester.serco.com; WSMAN/slgc-lri-svr-01.

Is 10.61.16.4 processing group policies at this point? If so, the issues you are running into seem to be transient and limited to the initial startup. Have you verfied network components (both in terms of switches and network adapters on that DC) are operating
correctly? Are you using teaming by any chance?

It's funny you should suggest this, as i too was verging on going down the NIC route after i realized that if i disabled the NIC and then re-enable it i'm immediately unable to reconnect to the domain - it simply states searching... and the NIC shows a yellow
exclamation.

So last night i left the server overnight with a dcdiag full of errors and this morning without touching a thing (it's still pointing at 10.61.15.5 for DNS mind you) i get this:

Last night i downloaded the latest firmware and driver package so i've installed both this morning. It seems the problem still remains after a boot up - the dcdiag is immediately full of errors and the 4013 error is still appearing in the DNS Event
log (but of note is that it only ever appears once after a boot up, it then nevers comes up again, meaning that initial sync does complete, albeit not when it's supposed to do).

What do you think? Something at startup clearly isn't right.

The server is a HP Proliant DL380 G6, using what i believe are Broadcom NIC's but with HP NC382i DP Gigabit drivers (version 5.2.14.0).

I'll be Googlin' this one for sure...

Thanks for your all help so far Marcin, i can't begin to show my appreciation for your efforts, getting this system working is my biggest priority as without it the whole site doesn't get to use their new server and the old one will slowly die!

Firmware was already at latest, drivers are now up to do date. When i first took delivery of the server i had updated all of the firmware so on an off chance i decided to downgrade the NIC firmware back to what it came with. This seems to have
made a difference. Instead of the NIC display searching or cannot connect it EVENTUALLY connects to the domain and internet. So i changed the DNS to point to itself (10.61.15.4) and rebooted.

The startup time is now down to around 5 minutes and once i was logged in the NIC icon in the corner had the hourglass / blue circle icon spinning for a good 2 minutes. After this is connected to the domain and internet and it seemed to be working.
After subsequent restarts the NIC doesn't do this at all.

So i perform all of the following:

Repadmin /syncall

Net share (checks SYSVOL)

Dcdiag

Nslookup (on all 3 servers in DNS snap-in)

Dcdiag still gave me errors they are mainly related to the other 3 NICs being down (of course they are) and a few DNS related issues, but after leaving it for some time rerunning this gives no errors at all. All the other tests report full replication
and functionality.

I still have the 4013 errors in the DNS Event log, but reading up on this other people seem to experience this issue too with Win2k8R2:

Well it appears this issue isn't resolved after all. I had left the new server configured so that it's primary DNS is set to itself, 10.61.15.4, and the secondary DNS 10.61.15.6, which is my backup server.

I configured a client PC to point to just 10.61.15.4 for it's DNS and it never resolves - i get no internet, no connection to the outside world. I can connect to the intranet site running on 10.61.15.4, and see the network shares, but that's it.

So i've changed the DNS on the server so that it only points to itself and i get the following information about the NIC status in the system tray:

Currently connected to leicester.serco.com, No Internet access (with yellow exclamation).

Where do i start here as the only errors i'm getting related to DNS in the Event logs are the 4013 errors as before.

I'm confident this fix may help others with a similar problem (I found several on the net)

Now it appears the issue is resolved, properly!

Maybe someone in the know could clarify this, but it appears that the Forwarders in the Properties Dialog box for the selected server were not copied across when the DNS was. So in effect whilst the DNS that is integrated within AD and gets pushed
out to any new DC that joins it these Forwarders are not. Very strange. Anyone know why this may be?

So to fix go into DNS snap-in, right click on the server, click Properties then the Forwarders tab.

So it's working now using it's own IP as the primary DNS, and will resolve DNS to the clients to.

Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.